Ubuntu
jhead package

Abort due to double free or corruption

Bug #395554 reported by Lars Kr. Lundin
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
jhead (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Binary package hint: jhead

Abort due to double free or corruption, image corrupted by the command.

$ jhead -mkexif -ts1992:09:05-13:00:00 -ft Narsaaq.jpg
Modified: Narsaaq.jpg
Narsaaq.jpg
*** glibc detected *** jhead: double free or corruption (!prev): 0x0000000000bb0e00 ***
======= Backtrace: =========
/lib/libc.so.6[0x7fba5c5c0cb8]
/lib/libc.so.6(cfree+0x76)[0x7fba5c5c3276]
jhead[0x405287]
jhead[0x402445]
jhead[0x403f26]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fba5c5675a6]
jhead[0x401639]
======= Memory map: ========
00400000-00411000 r-xp 00000000 08:03 39821 /usr/bin/jhead
00610000-00611000 r--p 00010000 08:03 39821 /usr/bin/jhead
00611000-00612000 rw-p 00011000 08:03 39821 /usr/bin/jhead
00612000-00614000 rw-p 00612000 00:00 0
00bb0000-00bd1000 rw-p 00bb0000 00:00 0 [heap]
7fba58000000-7fba58021000 rw-p 7fba58000000 00:00 0
7fba58021000-7fba5c000000 ---p 7fba58021000 00:00 0
7fba5c331000-7fba5c347000 r-xp 00000000 08:03 2579 /lib/libgcc_s.so.1
7fba5c347000-7fba5c547000 ---p 00016000 08:03 2579 /lib/libgcc_s.so.1
7fba5c547000-7fba5c548000 r--p 00016000 08:03 2579 /lib/libgcc_s.so.1
7fba5c548000-7fba5c549000 rw-p 00017000 08:03 2579 /lib/libgcc_s.so.1
7fba5c549000-7fba5c6b1000 r-xp 00000000 08:03 2557 /lib/libc-2.9.so
7fba5c6b1000-7fba5c8b1000 ---p 00168000 08:03 2557 /lib/libc-2.9.so
7fba5c8b1000-7fba5c8b5000 r--p 00168000 08:03 2557 /lib/libc-2.9.so
7fba5c8b5000-7fba5c8b6000 rw-p 0016c000 08:03 2557 /lib/libc-2.9.so
7fba5c8b6000-7fba5c8bb000 rw-p 7fba5c8b6000 00:00 0
7fba5c8bb000-7fba5c93f000 r-xp 00000000 08:03 2590 /lib/libm-2.9.so
7fba5c93f000-7fba5cb3e000 ---p 00084000 08:03 2590 /lib/libm-2.9.so
7fba5cb3e000-7fba5cb3f000 r--p 00083000 08:03 2590 /lib/libm-2.9.so
7fba5cb3f000-7fba5cb40000 rw-p 00084000 08:03 2590 /lib/libm-2.9.so
7fba5cb40000-7fba5cb60000 r-xp 00000000 08:03 2537 /lib/ld-2.9.so
7fba5cd3f000-7fba5cd41000 rw-p 7fba5cd3f000 00:00 0
7fba5cd5b000-7fba5cd5f000 rw-p 7fba5cd5b000 00:00 0
7fba5cd5f000-7fba5cd60000 r--p 0001f000 08:03 2537 /lib/ld-2.9.so
7fba5cd60000-7fba5cd61000 rw-p 00020000 08:03 2537 /lib/ld-2.9.so
7fff64d4b000-7fff64d60000 rw-p 7ffffffea000 00:00 0 [stack]
7fff64dfe000-7fff64dff000 r-xp 7fff64dfe000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted

Same command run via valgrind:

==22678== Memcheck, a memory error detector.
==22678== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==22678== Using LibVEX rev 1884, a library for dynamic binary translation.
==22678== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==22678== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation framework.
==22678== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==22678== For more details, rerun with: -v
==22678==
==22678== Invalid read of size 1
==22678== at 0x408955: (within /usr/bin/jhead)
==22678== by 0x40890A: (within /usr/bin/jhead)
==22678== by 0x408BE2: (within /usr/bin/jhead)
==22678== by 0x405E22: (within /usr/bin/jhead)
==22678== by 0x405F0A: (within /usr/bin/jhead)
==22678== by 0x4020A2: (within /usr/bin/jhead)
==22678== by 0x403F25: (within /usr/bin/jhead)
==22678== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678== Address 0x5423dd8 is 0 bytes after a block of size 160 alloc'd
==22678== at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==22678== by 0x405B0B: (within /usr/bin/jhead)
==22678== by 0x405F0A: (within /usr/bin/jhead)
==22678== by 0x4020A2: (within /usr/bin/jhead)
==22678== by 0x403F25: (within /usr/bin/jhead)
==22678== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678==
==22678== Invalid read of size 1
==22678== at 0x40896C: (within /usr/bin/jhead)
==22678== by 0x40890A: (within /usr/bin/jhead)
==22678== by 0x408BE2: (within /usr/bin/jhead)
==22678== by 0x405E22: (within /usr/bin/jhead)
==22678== by 0x405F0A: (within /usr/bin/jhead)
==22678== by 0x4020A2: (within /usr/bin/jhead)
==22678== by 0x403F25: (within /usr/bin/jhead)
==22678== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678== Address 0x5423dd9 is 1 bytes after a block of size 160 alloc'd
==22678== at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==22678== by 0x405B0B: (within /usr/bin/jhead)
==22678== by 0x405F0A: (within /usr/bin/jhead)
==22678== by 0x4020A2: (within /usr/bin/jhead)
==22678== by 0x403F25: (within /usr/bin/jhead)
==22678== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678==
==22678== Invalid write of size 8
==22678== at 0x40287C: (within /usr/bin/jhead)
==22678== by 0x403F25: (within /usr/bin/jhead)
==22678== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678== Address 0x543484c is 132 bytes inside a block of size 134 alloc'd
==22678== at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==22678== by 0x4090B3: (within /usr/bin/jhead)
==22678== by 0x402B01: (within /usr/bin/jhead)
==22678== by 0x403F25: (within /usr/bin/jhead)
==22678== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678==
==22678== Invalid write of size 8
==22678== at 0x402883: (within /usr/bin/jhead)
==22678== by 0x403F25: (within /usr/bin/jhead)
==22678== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678== Address 0x5434854 is 6 bytes after a block of size 134 alloc'd
==22678== at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==22678== by 0x4090B3: (within /usr/bin/jhead)
==22678== by 0x402B01: (within /usr/bin/jhead)
==22678== by 0x403F25: (within /usr/bin/jhead)
==22678== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678==
==22678== Invalid write of size 2
==22678== at 0x40288B: (within /usr/bin/jhead)
==22678== by 0x403F25: (within /usr/bin/jhead)
==22678== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678== Address 0x543485c is 14 bytes after a block of size 134 alloc'd
==22678== at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==22678== by 0x4090B3: (within /usr/bin/jhead)
==22678== by 0x402B01: (within /usr/bin/jhead)
==22678== by 0x403F25: (within /usr/bin/jhead)
==22678== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678==
==22678== Invalid write of size 1
==22678== at 0x402893: (within /usr/bin/jhead)
==22678== by 0x403F25: (within /usr/bin/jhead)
==22678== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==22678== Address 0x543485e is not stack'd, malloc'd or (recently) free'd
Modified: a.jpg
a.jpg
==22678==
==22678== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 8 from 1)
==22678== malloc/free: in use at exit: 240 bytes in 1 blocks.
==22678== malloc/free: 30 allocs, 29 frees, 70,991 bytes allocated.
==22678== For counts of detected errors, rerun with: -v
==22678== searching for pointers to 1 not-freed blocks.
==22678== checked 81,552 bytes.
==22678==
==22678== LEAK SUMMARY:
==22678== definitely lost: 0 bytes in 0 blocks.
==22678== possibly lost: 0 bytes in 0 blocks.
==22678== still reachable: 240 bytes in 1 blocks.
==22678== suppressed: 0 bytes in 0 blocks.
==22678== Rerun with --leak-check=full to see details of leaked memory.

ProblemType: Bug
Architecture: amd64
DistroRelease: Ubuntu 9.04
NonfreeKernelModules: fglrx
Package: jhead 2.86-2
ProcEnviron:
 PATH=(custom, user)
 LANG=en_DK.UTF-8
 SHELL=/bin/bash
SourcePackage: jhead
Uname: Linux 2.6.28-13-generic x86_64

Revision history for this message
Lars Kr. Lundin (v-launchpad-lklundin-dk) wrote :
Revision history for this message
Lars Kr. Lundin (v-launchpad-lklundin-dk) wrote :
Download full text (3.4 KiB)

Splitting the command into two like this:
jhead -mkexif Narsaaq.jpg
jhead -ts1992:09:05-13:00:00 -ft Narsaaq.jpg

seems to work (does not crash), but valgrind still reports memory error(s):

$ valgrind --leak-check=full --show-reachable=yes jhead -mkexif Narsaaq.jpg
==23119== Memcheck, a memory error detector.
==23119== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==23119== Using LibVEX rev 1884, a library for dynamic binary translation.
==23119== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==23119== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation framework.
==23119== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==23119== For more details, rerun with: -v
==23119==
==23119== Invalid read of size 1
==23119== at 0x408955: (within /usr/bin/jhead)
==23119== by 0x40890A: (within /usr/bin/jhead)
==23119== by 0x408BE2: (within /usr/bin/jhead)
==23119== by 0x405E22: (within /usr/bin/jhead)
==23119== by 0x405F0A: (within /usr/bin/jhead)
==23119== by 0x4020A2: (within /usr/bin/jhead)
==23119== by 0x403F25: (within /usr/bin/jhead)
==23119== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==23119== Address 0x54233f8 is 0 bytes after a block of size 160 alloc'd
==23119== at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==23119== by 0x405B0B: (within /usr/bin/jhead)
==23119== by 0x405F0A: (within /usr/bin/jhead)
==23119== by 0x4020A2: (within /usr/bin/jhead)
==23119== by 0x403F25: (within /usr/bin/jhead)
==23119== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==23119==
==23119== Invalid read of size 1
==23119== at 0x40896C: (within /usr/bin/jhead)
==23119== by 0x40890A: (within /usr/bin/jhead)
==23119== by 0x408BE2: (within /usr/bin/jhead)
==23119== by 0x405E22: (within /usr/bin/jhead)
==23119== by 0x405F0A: (within /usr/bin/jhead)
==23119== by 0x4020A2: (within /usr/bin/jhead)
==23119== by 0x403F25: (within /usr/bin/jhead)
==23119== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
==23119== Address 0x54233f9 is 1 bytes after a block of size 160 alloc'd
==23119== at 0x4C278AE: malloc (vg_replace_malloc.c:207)
==23119== by 0x405B0B: (within /usr/bin/jhead)
==23119== by 0x405F0A: (within /usr/bin/jhead)
==23119== by 0x4020A2: (within /usr/bin/jhead)
==23119== by 0x403F25: (within /usr/bin/jhead)
==23119== by 0x50CF5A5: (below main) (in /lib/libc-2.9.so)
Modified: Narsaaq.jpg
==23119==
==23119== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 8 from 1)
==23119== malloc/free: in use at exit: 240 bytes in 1 blocks.
==23119== malloc/free: 21 allocs, 20 frees, 68,789 bytes allocated.
==23119== For counts of detected errors, rerun with: -v
==23119== searching for pointers to 1 not-freed blocks.
==23119== checked 81,504 bytes.
==23119==
==23119==
==23119== 240 bytes in 1 blocks are still reachable in loss record 1 of 1
==23119== at 0x4C279E1: realloc (vg_replace_malloc.c:429)
==23119== by 0x405BD3: (within /usr/bin/jhead)
==23119== by 0x405F0A: (within /usr/bin/jhead)
==23119== by 0x4020A2: (within /usr/bin/jhead)
==23119== by 0x403F25: (within /usr/bin/jhead)
==23119== by 0x50CF5A5: (...

Read more...

Revision history for this message
Ludovic Rousseau (ludovic-rousseau-gmail) wrote :

The bug is easy to reproduce. I forwarded it to the upstream maintainer.
Thanks

Brian Murray (brian-murray)
Changed in jhead (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Ludovic Rousseau (ludovic-rousseau-gmail) wrote :

Upstream does not care a lot about Unix systems. This bug may be open for a long time.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.